Import customers
While importing data into Composable Commerce is generally straightforward, there are a few things to keep in mind when it comes to customer data. Customer data is special because it contains login information, including a password. For security reasons, passwords are not stored in clear text. When you transfer a customer account from one system to another, you cannot simply copy the passwords. In this guide, we explain how you can migrate your customer accounts from your current system to Composable Commerce.
Gradual migration including passwords
We recommend this approach as it provides the best experience for your existing customers. It avoids setting a new password during a checkout process, which introduces friction and might lead to cart abandonment.
When the customer logs in, the correct password is validated against the old encryption logic and stored in commercetools as the new password. The customer can then log in to commercetools as normal.
- Create a custom Type for the Customer resource that has two additional fields: A String field for the old hash and a Boolean field for
isPasswordMigrated
. - Import all existing customer accounts into your commercetools Project. Use a random string as the password for the newly created accounts.
Set
isPasswordMigrated
=false
and store the old password hash in the created Custom Field. - In the login code of the new solution (server-side), implement the following behavior:
- Try to log in the new user to commercetools with the given username/password. If the user's password has not yet been migrated, this will result in a password mismatch error.
- In your application's "password mismatch" error handler, apply the password to a (tested) re-implementation of the old hashing algorithm and see if it matches the old hash.
- If it matches the old hash, use the plain password to update the customer resource in commercetools accordingly. Within the same update request, set
isPasswordMigrated
=true
. - Then recover from the initial password mismatch error and try logging into commercetools again.
- If the provided password does not match the old hash, or if the customer is already marked with
isPasswordMigrated
=true
, go to the normal password mismatch handling routine.
- Once you have migrated, it is a good idea to re-import new or updated records from the old system, but skip those already set to
isPasswordMigrated
=true
, so that you can catch those who logged in after the export but before the system was migrated.
Please note: isPasswordMigrated
contains information about who has already logged in to their migrated account. We also recommend that you close existing sessions and do not attempt to migrate when switching to avoid potential problems such as shopping basket migration.
Gradual migration with forced password reset
A simple way to solve the problem is to ask the customer for help. This is usually done by forcing the customer to log in again after migrating the data to the new system and setting a new password themselves. Try to avoid this approach, as it will create friction with your customers. It can give them the impression that there may have been a security problem. Only choose this option when the source system is no longer available and its encryption method cannot be reproduced.